ssh_config: add conf block for sftp apps

data/templates/ssh/sshd_config

@@ -90,6 +90,14 @@ Match Group sftp.main,!ssh.main
     # Disable .ssh/rc, which could be edited (e.g. from Nextcloud or whatever) by users to execute arbitrary commands even if SSH login is disabled
     PermitUserRC no
 
+Match Group sftp.app,!ssh.app
+    ForceCommand internal-sftp
+    ChrootDirectory %h
+    AllowTcpForwarding no
+    AllowStreamLocalForwarding no
+    PermitTunnel no
+    PermitUserRC no
+    PasswordAuthentication yes
 
 # root login is allowed on local networks
 # It's meant to be a backup solution in case LDAP is down and